[AUTO-CHERRYPICK] Fix fluent-bit CVE-2024-34250 with a patch - branch main

SPECS/fluent-bit/CVE-2024-34250.patch

@@ -0,0 +1,114 @@
+diff --git a/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_loader.c b/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_loader.c
+index 2a06f42..87af852 100644
+--- a/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_loader.c
++++ b/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_loader.c
+@@ -219,7 +219,10 @@ type2str(uint8 type)
+ static bool
+ is_32bit_type(uint8 type)
+ {
+-    if (type == VALUE_TYPE_I32 || type == VALUE_TYPE_F32
++    if (type == VALUE_TYPE_I32
++        || type == VALUE_TYPE_F32
++        /* the operand stack is in polymorphic state */
++        || type == VALUE_TYPE_ANY
+ #if WASM_ENABLE_REF_TYPES != 0
+         || type == VALUE_TYPE_FUNCREF || type == VALUE_TYPE_EXTERNREF
+ #endif
+@@ -6690,6 +6693,7 @@ wasm_loader_check_br(WASMLoaderContext *loader_ctx, uint32 depth,
+     int32 i, available_stack_cell;
+     uint16 cell_num;
+
++    bh_assert(loader_ctx->csp_num > 0);
+     if (loader_ctx->csp_num < depth + 1) {
+         set_error_buf(error_buf, error_buf_size,
+                       "unknown label, "
+@@ -7758,8 +7762,7 @@ re_scan:
+                 }
+
+                 if (available_stack_cell > 0) {
+-                    if (is_32bit_type(*(loader_ctx->frame_ref - 1))
+-                        || *(loader_ctx->frame_ref - 1) == VALUE_TYPE_ANY) {
++                    if (is_32bit_type(*(loader_ctx->frame_ref - 1))) {
+                         loader_ctx->frame_ref--;
+                         loader_ctx->stack_cell_num--;
+ #if WASM_ENABLE_FAST_INTERP != 0
+diff --git a/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_mini_loader.c b/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_mini_loader.c
+index 47ec549..157a82c 100644
+--- a/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_mini_loader.c
++++ b/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_mini_loader.c
+@@ -51,7 +51,10 @@ set_error_buf(char *error_buf, uint32 error_buf_size, const char *string)
+ static bool
+ is_32bit_type(uint8 type)
+ {
+-    if (type == VALUE_TYPE_I32 || type == VALUE_TYPE_F32
++    if (type == VALUE_TYPE_I32
++        || type == VALUE_TYPE_F32
++        /* the operand stack is in polymorphic state */
++        || type == VALUE_TYPE_ANY
+ #if WASM_ENABLE_REF_TYPES != 0
+         || type == VALUE_TYPE_FUNCREF || type == VALUE_TYPE_EXTERNREF
+ #endif
+@@ -3930,7 +3933,7 @@ wasm_loader_pop_frame_ref(WASMLoaderContext *ctx, uint8 type, char *error_buf,
+     ctx->frame_ref--;
+     ctx->stack_cell_num--;
+
+-    if (is_32bit_type(type) || *ctx->frame_ref == VALUE_TYPE_ANY)
++    if (is_32bit_type(type))
+         return true;
+
+     ctx->frame_ref--;
+@@ -5839,13 +5842,11 @@ re_scan:
+             case WASM_OP_BR_TABLE:
+             {
+                 uint8 *ret_types = NULL;
+-                uint32 ret_count = 0;
++                uint32 ret_count = 0, depth = 0;
+ #if WASM_ENABLE_FAST_INTERP == 0
+-                uint8 *p_depth_begin, *p_depth;
+-                uint32 depth, j;
+                 BrTableCache *br_table_cache = NULL;
+-
+-                p_org = p - 1;
++                uint8 *p_depth_begin, *p_depth, *p_opcode = p - 1;
++                uint32 j;
+ #endif
+
+                 read_leb_uint32(p, p_end, count);
+@@ -5854,6 +5855,16 @@ re_scan:
+ #endif
+                 POP_I32();
+
++                /* Get each depth and check it */
++                p_org = p;
++                for (i = 0; i <= count; i++) {
++                    read_leb_uint32(p, p_end, depth);
++                    bh_assert(loader_ctx->csp_num > 0);
++                    bh_assert(loader_ctx->csp_num - 1 >= depth);
++                    (void)depth;
++                }
++                p = p_org;
++
+ #if WASM_ENABLE_FAST_INTERP == 0
+                 p_depth_begin = p_depth = p;
+ #endif
+@@ -5879,8 +5890,8 @@ re_scan:
+                                       error_buf, error_buf_size))) {
+                                 goto fail;
+                             }
+-                            *p_org = EXT_OP_BR_TABLE_CACHE;
+-                            br_table_cache->br_table_op_addr = p_org;
++                            *p_opcode = EXT_OP_BR_TABLE_CACHE;
++                            br_table_cache->br_table_op_addr = p_opcode;
+                             br_table_cache->br_count = count;
+                             /* Copy previous depths which are one byte */
+                             for (j = 0; j < i; j++) {
+@@ -6099,8 +6110,7 @@ re_scan:
+                             && !cur_block->is_stack_polymorphic));
+
+                 if (available_stack_cell > 0) {
+-                    if (is_32bit_type(*(loader_ctx->frame_ref - 1))
+-                        || *(loader_ctx->frame_ref - 1) == VALUE_TYPE_ANY) {
++                    if (is_32bit_type(*(loader_ctx->frame_ref - 1))) {
+                         loader_ctx->frame_ref--;
+                         loader_ctx->stack_cell_num--;
+ #if WASM_ENABLE_FAST_INTERP != 0

SPECS/fluent-bit/fluent-bit.spec

@@ -1,12 +1,13 @@
 Summary:        Fast and Lightweight Log processor and forwarder for Linux, BSD and OSX
 Name:           fluent-bit
 Version:        2.2.3
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        Apache-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 URL:            https://fluentbit.io
 Source0:        https://github.com/fluent/%{name}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
+Patch0:         CVE-2024-34250.patch
 BuildRequires:  bison
 BuildRequires:  cmake
 BuildRequires:  cyrus-sasl-devel
@@ -80,6 +81,9 @@ Development files for %{name}
 %{_libdir}/fluent-bit/*.so
 
 %changelog
+* Wed May 30 2024 Sindhu Karri <lakarri@microsoft.com> - 2.2.3-2
+- Fix CVE-2024-34250 with a patch
+
 * Tue May 28 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 2.2.3-1
 - Auto-upgrade to 2.2.3 - CVE-2024-4323